Posted by Julian Bryan, managing director of Legal Futures Associate Quill Pinpoint
When it comes to business, there’s no point in having a plan A unless you’ve got a plan B. While plan A might be the route to profits, plan B is the means of surviving, whatever challenges you come up against.
Every business is at risk of potential natural or man-made disasters. Despite our wishful thinking, sometimes the dreaded ‘what if’ scenarios become a harsh reality. While we all hope for the best, it’s essential to prepare for the worst. Then there are minor interruptions which, with adequate forethought, can be circumnavigated completely.
So, what’s your plan to recover from disaster and get back on track to plan A? And, what’s your plan for continuing running your business during lesser disturbances? These are your disaster recovery and business continuity plans respectively.
To clarify further, disaster recovery and business continuity plans are essential constituents of any business, not just technology companies. We all rely on technology to a greater or lesser extent. Power, phones and internet are now an everyday given.
But there’s more than this to consider. Your workforce, for example. A norovirus could mean your business can’t operate effectively for a few days. Without a plan, then, you’re vulnerable and can easily be caught off guard, whatever your business type.
With a lot hinging on these two plans, it’s important to get it right. To help you in this gargantuan task, here are our 10 top tips.
1. Outline what’s vital to keep your business running
The first step is to detail the things you just couldn’t operate without. In other words, if any one of these is missing due to circumstances beyond your control, you’ve got a potential grind-to-a-halt situation on your hands. Remember it’s all about the basic elements: premises, power, internet, hardware, software, water, people etc.
2. Create a list of disaster types
This may sound pessimistic and defeatist, especially when you consider the rarity of most disaster situations, but catering for a multitude of catastrophic eventualities is actually a really positive exercise. That’s because you’re better equipped to cope during a real disaster.
Looking at your essentials list, think about the reasons your critical systems and functions might stop working. Phones: could there be a line fault at the exchange? People: could a number of your staff have been struck down by a virus or could you have received resignations from key members? PCs and laptops: could you be facing the likes of a ransomware attack rendering your hardware useless? And so on and so forth.
Make a record and rank these disasters based on their likelihood as well as level of impact to your business.
3. Define your plan B
Taking things a step further, put pen to paper and determine what your plan B might look like. For example, if you run an in-house server which hosts your applications and stores your data, does this have a RAID configuration of hard disks? Do you have a UPS?
Even with seemingly fool-proof cloud systems, it’s still important to establish whether you have both main and emergency power supplies for your computer to access the cloud environment. Back-up generators and the like will usually feature here.
Similarly, if your phones are disconnected, do you have an arrangement in place to divert landline numbers straight through to corresponding mobiles, or even a second office? Do you have a pay-as-you-go spare mobile in the cupboard? This would allow those contacting you to still touch base, even if not straightaway with the intended individual.
Also, if you rely on internet banking for accounting purposes, and you lose your web connection, is there a telephone banking option? Where’s the number stored?
The scenarios go on and on; the point is, try to conjure up the many possibilities and put into place a plan B alternative. This may necessitate involvement from your core suppliers.
4. Set your recovery objectives
How long, realistically, can you manage in plan B? This is an oft-quoted metric called your recovery time objective. Your figure will be based upon real calculations, for instance how much diesel is there in the tank to run the generator if there’s a power cut? How long can you cope in the absence of departing staff before they need to be replaced? If your bank account’s inaccessible via internet banking and you can’t keep tabs on your finances, when will you run out of cash?
The difference here can be anything from an hour to several days. Knowing just how long you can last in plan B will help you prioritise the importance of putting new systems in place to preserve plan A or continue in a robust plan B mode.
5. Assign roles and responsibilities
Should disaster strike, which of your key personnel will initiate the plan task-by-task and who will take their place should they not be available at the time?
Similar in lots of ways to a military operation, your plan requires each participant to understand their job, who they need to interact with and the proper chain of command.
Calm, confident, quick-thinking people are best placed to cope during the ensuing chaos. This should largely consist of your senior managers and compliance officers.
6. Include a directory of emergency contacts
Write a list of contact names and phone numbers to be accessed instantly. Wasting time searching for this basic information during the catastrophe itself causes unnecessary delay and stress.
You’ll want to cover organisations such as your bank’s fraud report line, police national fraud and cybercrime centre, Solicitors Regulation Authority (and other regulators), professional indemnity insurer, localised emergency services, utility providers, IT suppliers, building management team (if you rent office space), regional and legal press, and your PR agency, should you decide to issue a statement.
7. Outline your preventative measures and phases of recovery
Prevention is always better than cure. Your business continuity plan should cover a range of preventative and detective measures, from SSL encryption and anti-virus software to CCTV surveillance and fire alarms.
In your disaster recovery plan, map out the various contingency phases – response, resumption, recovery and restoration. This is a co-ordinated effort between all parties involved which will ultimately set out how exactly you’ll resume mission-critical operations in as short a time period as possible.
8. Test the plans
The only way to truly know if your plans are fit for purpose is to test them in as close to realistic conditions as possible. Regularly! An under-tested plan can actually be more of a hindrance than no plan at all. Rigorous testing enables your plan to stand up to the most disruptive events.
Of course, it’s a major operational undertaking each time you perform a test, but the up-side is that your employees are thoroughly trained on their function in executing the plan. Afterwards, you can address any shortcomings or failures.
The details relating to tests should be well documented. You’ll need to record the dates, scenarios and outcomes. This will allow you to analyse properly and modify your plan accordingly.
9. Keep your plans up-to-date
These are living and breathing documents, so make sure they’re current. Maintain and update them every time an element within your working environment or infrastructure changes and people with assigned responsibilities leave or join your business.
10. Hire an outsourcing service and managed services provider
Large organisations with big teams of in-house IT expertise can leverage their own technical professionals to facilitate effective planning. Those operating on a smaller scale simply don’t have the same luxury and it can be cost-prohibitive to implement an effective plan because they lack the internal technical resources to accomplish this.
In the same vein, bigger companies recruit teams of people nicely formed into departments ready-and-willing to cover for others’ work when the going gets tough. Conversely, SMEs tend to employ individuals performing core functions single-handedly. In the absence of that particular individual, the work simply doesn’t get done.
The solution is to instruct a third-party managed services provider whereby you automatically inherit your provider’s business continuity and disaster recovery plans.
Julian Bryan is also chair of the Legal Software Suppliers Association.